Hi there, On Mon, 30 May 2022, Mathieu Morier via clamav-users wrote:
desjardins.com<http://desjardins.com> is a Québec Canada Coop Bank Institution and for a couple weeks, all their email to our email server as flag my CLAM for Heuristics.Phishing.Email.SpoofedDomain ...
They probably did something stupid.
But it’s starting to be problematic to exclude so many Desjardins.com<http://Desjardins.com> email from Clam. Any Idea ?
Well you could ask them to think about what they're sending. But good luck with that, if it's a bank... :) How is ClamAV seeing the mail? Is it through a milter? Most will offer the facility to whitelist a domain, or something like that, see for example "EXCLUSIONS" in man clamav-milter.conf but beware that it's possible (and very common) to spoof domain names, so listing IP addresses might be safer. I wouldn't recommend relying on SPF for this domain. I don't think allowing a couple of /48 CIDRs (not to mention three each of IPv4 /16 and /17, a /15, a /14 and some dozens of ranges from /19 to /24) is likely to offer much protection to anyone from forgeries from IP addresses not controlled by them. It looks like instead of thinking about forgery they tried to include as many IP ranges as they could possibly think of in their SPF record on the off-chance that some random Outlook user would want to send mail on their behalf (or more likely they don't care about forgery, just about not getting their mail rejected). If it's difficult to do using whatever feeds the mail to ClamAV, then you could do some post-processing after the ClamAV verdict is given, or even ignore the signature completely. See for example https://docs.clamav.net/faq/faq-ignore.html?highlight=ignore#how-do-i-ignore-a-clamav-signature but then the signature won't catch spoofing attempts from other sources. Ideally you'd have fine-grained control in your maili system over what ClamAV sees, so that you can deal with issues like this easily as they arise - because they're very common. -- 73, Ged. _______________________________________________ clamav-users mailing list [email protected] https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
